>v We claim: 

1 QU / 1 . A computer program product embodied on computer readable media readable by a 

2/ computing system in a computing environment, for enforcing security policy using style sheet 

3 processing, comprising: 

4 an input document; 

5 one or more stored policy enforcement objects, wherein each of said stored policy 

6 enforcement objects specifies a security policy to be associated with zero or more elements of said 

7 input document; \ 

8 a Document Type Definition (DTD) corresponding to said input document, wherein said 
92 DTD has been augmented with one or more references to selected ones of said stored policy 

It 2 1 

lQ|j enforcement objects; \ 

1 \n an augmented style sheet processor, wherein said augmented processor further comprises: 

12-J computer-ieadable program code means for loading said DTD; 

13!: computer-readable program code means for resolving each of said one or more 

l|T references in said loaded DTD; 

155 computer-readable program code means for instantiating said policy enforcement 

16 objects associated with said iesolved references; 

17 computer-readable program code means for executing selected ones of said 

18 instantiated policy enforcemera objects during application of one or more style sheets to said input 

19 document, wherein a result of s|aid computer-readable program code means for executing is an 

20 interim transient document reflecting said execution; 
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com niter-readable program code means for generating one or more random 
encryption keys; 

com niter-readable program code means for encrypting selected elements of said 
interim transient document, wherein a particular one of said generated random encryption keys 
may be used to enciypt one or more of said selected elements, while leaving zero or more other 
elements of said interim transient document unencrypted; 

computer-readable program code means for encrypting each of said one or more 
random encryption keys; and 

comj uter-readable program code means for creating an encrypted output 
document comprising said zero or more other unencrypted elements, said selected encrypted 
elements, and said emcrypted encryption keys; 

computer-readable program code means for requesting, from a user or process on a client 
device, said encryptep output document, wherein said user or process is a member of a particular 
group authorized to view at least one of said selected encrypted elements; 

computer-readable program code means for receiving said requested output document at 
said client device; and! 

an augmented document processor executed on said client device, comprising: 

computer-readable program code means for contacting a clerk of said particular 
group for decryption 01 selected ones of said encrypted encryption keys; and 

computer-readable program code means for decrypting said requested output 
document using said decrypted selected ones of said encrypted encryption keys, thereby creating a 
result document. 
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1 2. The computer program product according to Claim 1, further comprising computer- 

2 readable programlcode means for rendering said result document on said client device. 

1 3. The computer program product according to Claim 1, wherein said interim transient 

2 document comprises one or more encryption tags identifying elements needing encryption. 

1 4. The computer program product according to Claim 1, wherein said input document is 

2 specified in an Extensible Markup Language (XML) notation. 

0 \ 

-JO. \ 

jij 5. The computer program product according to Claim 4, wherein said result document is 

2H specified in said XML notation. 

rrxf \ 
~h2 \ 

t 6. The computer program product according to Claim 1, wherein said stored policy 

t2 enforcement objects fiirther comprise computer-readable program code means for overriding a 

3fi method for evaluating said elements of said input document, and wherein said computer-readable 

4 program code means for execuiing further comprises computer-readable program code means for 

5 executing said computer-readable program code means for overriding. 

1 7. The computer program product according to Claim 6, wherein said style sheets are 

2 specified in an Extensible Stylesheet Language (XSL) notation. 
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1 8. The computer prog am product according to Claim 7, wherein said method is a value-of 

2 method of said XSL notation, and wherein said computer-readable program code means for 

3 overriding said value-of method is by subclassing said value-of method. 

1 9. The computer progi am product according to Claim 6 or Claim 8, wherein; 

2 said overridden method comprises: 

3 computer-readable program code means for generating encryption tags; and 

4 computer-readable program code means for inserting said generated encryption 

5 tags into said interim transient document to surround elements of said interim transient document 
6% which are determined to require encryption; and 

1|§ said computer-readabl^ program code means for encrypting selected elements encrypts 

8J] those elements surrounded by kaad inserted encryption tags. 
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1 0. The computer program product according to Claim 2, wherein: 

each of said instantiated policy enforcement objects further comprises: 

a specification of k community that is authorized to view said elements associated 
with said security policy, said specification of said communities further comprising specification of 
at least one of: (1) one or more individual users or processes which are community members, and 
(2) one or more groups which are community members, wherein each of said groups comprises 
one or more individual users or processes; and 

an encryption requiijpment for said elements associated with said security policy; 

and 
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10 wherein said particular group is specified as one of said community members. 

1 11. The computer program product according to Claim 10, wherein said encryption 

2 requirement further comprises specification of an encryption algorithm. 

1 12. The computer program product according to Claim 10, wherein said encryption 

2 requirement further comprises specification of an encryption algorithm strength value. 

1 13. The computer program product according to Claim 10, wherein: 

L 

2% said computer-readable program code means for encrypting said encryption keys further 

■L? I 

3{j comprises computer-readablelprogram code means for encrypting a different version of each of 

SU j 

4n said random encryption keys for each of said one or more members of each of zero or more of 
W 1 

£J said communities which uses said encryption key, and wherein each of said different versions is 

(juT encrypted using a public key oft said community member for which said different version was 

|T encrypted. 1 

1 14. The computer program product according to Claim 10, wherein said encryption 

2 requirement may have a null value to indicate that said specified security policy does not require 

3 encryption. I 
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1 15. The computer program product according to Claim 1, wherein said computer-readable 

2 program code means for encrypting selected elements uses a cipher block chaining mode 

3 encryption process. 
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16. The computer program! product according to Claim 13, further comprising: 

computer-readable program code means for creating a key class for each unique 
community, wherein said key class is associated with each of said encrypted elements for which 
this unique community is an authorized viewer, and wherein said key class comprises: (1) a 
strongest encryption requirement! of said associated encrypted elements; (2) an identifier of each 
of said members of said unique community; and (3) one of said different versions of said 
encrypted encryption key for eacqof said identified community members; and 
wherein: 

said computer-readkble program code means for generating said one or more 
random encryption keys generates a particular one of said random encryption keys for each of 
said key classes, and wherein each Af said different versions in a particular key class is encrypted 
from said generated encryption key generated for said key class; and 

said computer-readable program code means for encrypting selected elements uses 
that one of said particular random encryption keys which was generated for said key class with 
which said selected element is associated. 



17. The computer program product according to Claim 13, wherein: 
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t 

2 said computer-readable program code means for decrypting said requested output 

3 document further comprises: I 

4 computer-readable program code means for expanding said one or more groups of 

5 said communities to determine saip individual users or processes in each of said expanded groups; 

6 computer-readable program code means for determining one or more of said 

7 expanded communities of which said requesting user or process is one of said expanded group 

8 members; 1 

9 computer-readable program code means for decrypting, for each of said 

10 determined communities, said different version of said random encryption key which was 

1*1 1 

1 K encrypted using said public key of saip one member, wherein said one member is said expanded 

lfy group of which said requesting user or process is one of said expanded group members, thereby 

iy I 

13H creating a decrypted key for each of said determined communities; and 

l^N computer-readable program code means for decrypting selected ones of said 

l|i encrypted elements in said requested output document using said decrypted keys, wherein said 

l&I selected ones of said encrypted elemems are those which were encrypted for one of said 

17=3 determined communities; and I 

18 said computer-readable program code means for rendering further comprises: 

19 computer-readable program code means for rendering said decrypted selected ones 

20 and said other unencrypted elements. 

1 18. The computer program product according to Claim 1 7, wherein: 
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said computer-readable progr im code means for contacting said group clerk further 
comprises: 

computer-readable program code means for locating said group clerk; and 
computer-readable program code means for establishing a session between said 
client device and said group clerk; 

said computer-readable progr im code means for decrypting said different version for each 
of said determined communities furth jr comprises: 

computer-readable program code means for digitally signing said different version 
by said requesting user or process, thereby creating a first digital signature; 

computer-readable pre gram code means for sending said first digital signature and 
said different version to said group clerk on said session; 

computer-readable program code means for receiving said sent first digital 

said group clerk; 

computer-readable pro-am code means for verifying said first digital signature by 
said group clerk; 

computer-readable pro-am code means for verifying, by said group clerk, that 
said requesting user or process is one of said authorized members of said determined community 
associated with said different version; 

computer-readable program code means for decrypting said different version using 
a private key of said one member which is associated with said public key which was used for 
encryption; 



signature and said different version by 
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by said group clerk, thereby creating a 



and said re-encrypted key at said client 



computer-readable projjram code means for re-encrypting said decrypted different 
version using a public key of said requ ssting user or process, thereby creating a re-encrypted key; 

computer-readable proj^ram code means for digitally signing said re-encrypted key 

second digital signature; 
computer-readable program code means for returning said second digital signature 
and said re-encrypted key from said g oup clerk to said client device on said session; 

computer-readable program code means for receiving said second digital signature 

device; 

computer-readable program code means for verifying said second digital signature 
at said client device; and 

computer-readable program code means, operable on said client device, for 
decrypting said received re-encrypted key using a private key of said requesting user or process, 
creating said decrypted key; and 

said computer-readable progrim code means for decrypting selected ones of said 
encrypted elements in said requested output document is executed at said client device using said 
decrypted key 



1 9 . The computer program 
said computer-readable 
document further comprises: 

computer-readable 
said communities to determine said 
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produpt according to Claim 13, wherein: 
program code means for decrypting said requested output 



program code means for expanding said one or more groups of 
individual users or processes in each of said expanded groups; 
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6 computer-readable program code means for determining one or more of said 

7 expanded communities of which saip requesting user or process is one of said expanded group 

8 members; and 

9 computer-readable drogram code means for decrypting selected ones of said 

10 encrypted elements in said requested output document, wherein said selected ones of said 

1 1 encrypted elements are those which were encrypted for one of said determined communities; and 

12 said computer-readable program code means for rendering further comprises: 

1 3 computer-readable program code means for rendering said returned decrypted 

14 elements and said other unencryptedlelements. 



j=y 20. The computer program product according to Claim 19, wherein: 
2f1 said computer-readable prograjm code means for contacting said group clerk further 

| ; i 

l ; 

3N comprises: 

iCJ computer-readable program code means for locating said group clerk; and 

ju computer-readable progjram code means for establishing a mutually-authenticated 

63 secure session between said client device and said group clerk; and 

7 said computer-readable program code means for decrypting selected ones of said 

8 encrypted elements in said requested oi tput document further comprises: 

9 computer-readable prog am code means for locating said different version of said 

10 random encryption key which was encr rpted using said public key of said one member, wherein 

1 1 said one member is said expanded group of which said requesting user or process is one of said 

12 expanded group members; 
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computer-readable 
to said group clerk, along with an 



program code means for sending said located different version 
elemjent encrypted with said different version, on said secure 



session; 

computer-readable program code means for receiving said sent different version 
and said element by said group clerk; 

computer-readable program 
said requesting user or process is one 
associated with said different version; 

computer-readable program 
a private key of said one member whic i 



code means for verifying, by said group clerk, that 
<{>f said authorized members of said determined community 

code means for decrypting said different version using 
is associated with said public key which was used for 



2 1 . The computer program produci 

said computer-readable program 
comprises: 



encryption; 

computer-readable program code means for decrypting said element using said 
decrypted different version; and 

computer-readable program 
said group clerk to said client device ot 



code means for returning said decrypted element from 
said secure session. 



according to Claim 16, wherein: 
code means for contacting said group clerk further 



computer-readable program code means for locating said group clerk; and 
computer-readable projjram code means for establishing a mutually-authenticated 
secure session between said client dev ce and said group clerk; 
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determined key classes, said different 
which was encrypted using said public 
program code means for decrypting 



said computer-readable program code means for decrypting said requested output 
document further comprises: 

computer-readable program code means for expanding said one or more groups of 
said communities to determine said ir dividual users or processes in each of said expanded groups; 

computer-readable program code means for determining one or more of said key 
classes which identify said requesting user or process as one of said expanded group members; 
computer-readable pre gram code means for decrypting, for each of said 



; version of said random encryption key in said key class 
key of said one member, wherein said computer-readable 
; uses a private key of said one member which is associated 
with said public key which was used for encryption, thereby creating a decrypted key; and 

computer-readable pro; jram code means for decrypting selected ones of said 
encrypted elements in said requested output document using said decrypted keys, wherein said 
selected ones of said encrypted elemer ts are those which were encrypted for said key class; and 
said computer-readable progra n code means for rendering further comprises: 

computer-readable program code means for rendering said decrypted selected ones 
and said other unencrypted elements. 



22. The computer program produqt 
said computer-readable 



comprises: 



computer-readable pro. 



according to Claim 17, wherein: 
program code means for contacting said group clerk further 



ram code means for locating said group clerk; and 
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computer-readable program code means for establishing a mutually-authenticated 
secure session between said client device and said group clerk; 

said computer-readable program code means for decrypting said different version for each 
of said determined communities further comprises: 

computer-readable program code means for sending said different version to said 
group clerk on said secure session;! 

computer-readable program code means for receiving said sent different version by 
said group clerk; 

computer-readable (program code means for verifying, by said group clerk, that 
said requesting user or process is fne of said authorized members of said determined community 
associated with said different version; 

computer-readable program code means for decrypting said different version using 



a private key of said one member 



encryption; 



which is associated with said public key which was used for 



computer-readable program code means for returning said decrypted different 



said client device on said secure session; and 

^ program code means for receiving said decrypted different 



version from said group clerk to 
computer-readab 
version at said client device; and 

said computer-readable Arogram code means for decrypting selected ones of said 
encrypted elements in said requested output document is executed at said client device using said 
received decrypted different ve sion. 
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23. The computer program pr oduct according to Claim 17, Claim 21, or Claim 22, wherein 
said computer-readable program ix>de means for rendering further comprises computer-readable 
program code means for rendering a substitute text message for any of said selected encrypted 
elements in said requested output document which cannot be decrypted by said computer- 
readable program code means fc r decrypting said requested output document. 



24. The computer program 
said computer-readable 



comprises: 



computer-readab; 



>roduct according to Claim 19, wherein: 

urogram code means for contacting said group clerk further 



e program code means for locating said group clerk; and 
computer-readalle program code means for establishing a session between said 
client device and said group clerk; and 

said computer-readable program code means for decrypting selected ones of said 
encrypted elements in said reqi tested output document further comprises: 

computer-read* ble program code means for locating said different version of said 
random encryption key which was encrypted using said public key of said one member, wherein 
said one member is said expanjded group of which said requesting user or process is one of said 
expanded group members; 

computer-readable program code means for digitally signing, by said requesting 
user or process, said located version and an element encrypted with said different version, thereby 
creating a first digital signature; 
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16 computer-readable pr )gram code means for sending said first digital signature, said 

17 located different version, and said el( ment to said group clerk on said session; 

18 computer-readable piogram code means for receiving said sent first digital 

19 signature, said different version, and said element by said group clerk; 

20 computer-readable program code means for verifying said first digital signature by 

21 said group clerk; 

22 computer-readable program code means for verifying, by said group clerk, that 

23 said requesting user or process is one of said authorized members of said determined community 

24 associated with said different versipn; 
25^ computer-readable program code means for decrypting said different version using 

26fj a private key of said one member ^vhich is associated with said public key which was used for 

i y 

2in encryption; 

£ i : 

28N computer-readabl^ program code means for decrypting said element using said 

2£l decrypted different version; 

3(j^ computer-readabli program code means for re-encrypting said decrypted element 

\ 2*1 I 

3 lo using a public key of said requesting user or process, thereby creating a re-encrypted element; 

32 computer-readable program code means for digitally signing said re-encrypted 

33 element by said group clerk, thereby creating a second digital signature; 

34 computer-readable program code means for returning said second digital signature 

35 and said re-encrypted element from said group clerk to said client device on said session; 

36 computer-readable program code means for receiving said second digital signature 

37 and said re-encrypted element atlsaid client device; and 
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computer-readable program code means for verifying said second digital signature 
by said requesting user or process. 



25. The computer program product (according to Claim 1, wherein said DTD is replaced by a 
schema. 



26. The computer program produci according to Claim 10, wherein said encryption 
requirement further comprises specification of an encryption key length. 



27. The computer program produc : 
tags may surround either values of sak 



according to Claim 9, wherein said inserted encryption 
elements or values and tags of said elements. 



28. A system for enforcing securit r policy using style sheet processing in a computing 
environment, comprising: 
an input document; 

one or more stored policy enforcement objects, wherein each of said stored policy 
enforcement objects specifies a secur ty policy to be associated with zero or more elements of said 
input document; / 

a Document Type Definition (DTD) corresponding to said input document, wherein said 
DTD has been augmented with one or more references to selected ones of said stored policy 
enforcement objects; 

an augmented style sheet processor, wherein said augmented processor further comprises: 
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during application of one o : 



means for loading said DTD; 

means for re solving each of said one or more references in said loaded DTD; 
means for instantiating said policy enforcement objects associated with said 
resolved references; 

means for executing selected ones of said instantiated policy enforcement objects 
more style sheets to said input document, wherein a result of said 
means for executing is an ijiterim transient document reflecting said execution; 

means for generating one or more random encryption keys; 
means for e icrypting selected elements of said interim transient document, wherein 
a particular one of said generated random encryption keys may be used to encrypt one or more of 
said selected elements, whi|e leaving zero or more other elements of said interim transient 
document unencrypted; 

means for encrypting each of said one or more random encryption keys; and 
means for creating an encrypted output document comprising said zero or more 
other unencrypted element^, said selected encrypted elements, and said encrypted encryption 
keys; 

means for requesting, from a user or process on a client device, said encrypted output 
document, wherein said user or process is a member of a particular group authorized to view at 
least one of said selected e icrypted elements; 

means for receiving said requested output document at said client device; and 
an augmented doci ment processor executed on said client device, comprising: 
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means for contac 



ones of said encrypted encryption 
means for 



ing a clerk of said particular group for decryption of selected 
keys; and 

decrypting said requested output document using said decrypted 
encryption keys, thereby creating a result document. 



Claim 28, further comprising means for rendering said result 



selected ones of said encrypted 

29. The system according tc 
document on said client device 

30. The system according to Claim 28, wherein said interim transient document comprises one 
or more encryption tags identifying elements needing encryption. 



3 1 . The system according 
Extensible Markup Language 



32. The system according t o 



notation. 



t( » Claim 28, wherein said input document is specified in an 
( £ML) notation. 



Claim 31, wherein said result document is specified in said XML 



33. The system according to Claim 28, wherein said stored policy enforcement objects further 
comprise means for overriding a method for evaluating said elements of said input document, and 
wherein said means for execu ing further comprises means for executing said means for 
overriding. 
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34. The system according to Claim 33, wherein said style sheets are specified in an Extensible 
Stylesheet Language (XSL) notation. 

35. The system according to Claim 34, wherein said method is a value-of method of said XSL 
notation, and wherein said m^ans for overriding said value-of method is by subclassing said 
value-of method. 



36. The system according lo Claim 33 or Claim 35, wherein: 
said overridden methoc comprises: 

means for generating encryption tags; and 

means for inserting said generated encryption tags into said interim transient 
document to surround element? of said interim transient document which are determined to 
require encryption; and 

said means for encryptiijg selected elements encrypts those elements surrounded by said 
inserted encryption tags. 



37. The system according to 
each of said instantiated 
a specification of 



Claim 29, wherein: 

policy enforcement objects further comprises: 
a community that is authorized to view said elements associated 



with said security policy, said specification of said communities further comprising specification of 



at least one of: (1) one or more 



individual users or processes which are community members, and 
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(2) one or more groups wm 
one or more individual user j 



eh are community members, wherein each of said groups comprises 
or processes; and 

an encryption requirement for said elements associated with said security policy; 



and 



wherein said particular group is specified as one of said community members. 



38. The system according to Claim 37, wherein said encryption requirement further comprises 
specification of an encryptiom algorithm. 

39. The system according to Claim 37, wherein said encryption requirement further comprises 
specification of an encryption algorithm strength value. 

40. The system according to Claim 37, wherein: 

said means for encrypking said encryption keys further comprises means for encrypting a 
different version of each of said random encryption keys for each of said one or more members of 
each of zero or more of said communities which uses said encryption key, and wherein each of 
said different versions is encrvpted using a public key of said community member for which said 
different version was encryptep 



4 1 . The system according to Claim 37, wherein said encryption requirement may have a null 
value to indicate that said specified security policy does not require encryption. 
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42. The system according toi Claim 28, wherein said means for encrypting selected elements 



uses a cipher block chaining mode encryption process. 



43. The system according to Glaim 40, further comprising: 

means for creating a key class for each unique community, wherein said key class is 
associated with each of said encryp ted elements for which this unique community is an authorized 

i comprises: (1) a strongest encryption requirement of said 
j in identifier of each of said members of said unique 



viewer, and wherein said key class 
associated encrypted elements; (2) 



community; and (3) one of said different versions of said encrypted encryption key for each of 



said identified community members 
wherein: 



and 



said means for genen ting said one or more random encryption keys generates a 
particular one of said random encryption keys for each of said key classes, and wherein each of 
said different versions in a particular key class is encrypted from said generated encryption key 
generated for said key class; and 

said means for encrypting selected elements uses that one of said particular random 
encryption keys which was generatec for said key class with which said selected element is 
associated. 



44. The system according to Claim 
said means for decrypting said 
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requested output document further comprises: 
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means for expanding said one or more groups of said communities to determine 
said individual users or process es in each of said expanded groups; 

means for determining one or more of said expanded communities of which said 
requesting user or process is o le of said expanded group members; 

means for decrypting, for each of said determined communities, said different 
version of said random encryption key which was encrypted using said public key of said one 
member, wherein said one men ber is said expanded group of which said requesting user or 
process is one of said expanded group members, thereby creating a decrypted key for each of said 
determined communities; and 

means for decrypting selected ones of said encrypted elements in said requested 
output document using said decrypted keys, wherein said selected ones of said encrypted elements 

? or one of said determined communities; and 
farther comprises: 



are those which were encrypted 
said means for rendering 



means for renderiig said decrypted selected ones and said other unencrypted 



elements. 



45. The system according to Claim 44, wherein: 

said means for contacting said group clerk further comprises: 
means for locating said group clerk; and 
means for establishing a session between said client device and said group clerk; 
said means for decrypting said different version for each of said determined communities 
further comprises: 
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means for digitally signing said different version by said requesting user or process, 
thereby creating a first digilkl signature; 

means for sending said first digital signature and said different version to said 
group clerk on said session;! 

means for receiving said sent first digital signature and said different version by 
said group clerk; 

means for verifying said first digital signature by said group clerk; 
means for verifying, by said group clerk, that said requesting user or process is one 
of said authorized members of said determined community associated with said different version; 

means for decrypting said different version using a private key of said one member 
which is associated with said putttic key which was used for encryption; 

means for re-encrupting said decrypted different version using a public key of said 
requesting user or process, thereby creating a re-encrypted key; 

means for digitally signing said re-encrypted key by said group clerk, thereby 
creating a second digital signature 

means for returning said second digital signature and said re-encrypted key from 
said group clerk to said client devi :e on said session; 

said second digital signature and said re-encrypted key at said 



client device; 



means for receiving 

means for verifying 
means, operable on 



said second digital signature at said client device; and 
said client device, for decrypting said received re-encrypted 



key using a private key of said requesting user or process, creating said decrypted key; and 
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said means for decrypting selected ones of said encrypted elements in said requested 
output document is executed alt said client device using said decrypted key. 



46, The system according 
said means for decrypt 



o Claim 40, wherein: 

ng said requested output document further comprises: 



means for expanding said one or more groups of said communities to determine 



said individual users or proces 



ses in each of said expanded groups; 



means for dete -mining one or more of said expanded communities of which said 
requesting user or process is c ne of said expanded group members; and 

means for decrypting selected ones of said encrypted elements in said requested 
output document, wherein said selected ones of said encrypted elements are those which were 
encrypted for one of said det© mined communities; and 
said means for renderii g further comprises: 

means for rendering said returned decrypted elements and said other unencrypted 

elements. 

47. The system according to Claim 46, wherein: 

said means for contacti lg said group clerk further comprises: 
means for locating said group clerk; and 

means for estab ishing a mutually-authenticated secure session between said client 
device and said group clerk; an i 
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said means for decrypting selected ones of said encrypted elements in said requested 
output document further comprises: 

means for loc iting said different version of said random encryption key which was 
encrypted using said public key of said one member, wherein said one member is said expanded 
group of which said requesting user or process is one of said expanded group members; 

means for sending said located different version to said group clerk, along with an 
element encrypted with said different version, on said secure session; 

means for receiving said sent different version and said element by said group 

clerk; 

means for veriiying, by said group clerk, that said requesting user or process is one 
of said authorized members of said determined community associated with said different version; 

means for decrypting said different version using a private key of said one member 
which is associated with said p iblic key which was used for encryption; 

means for decrypting said element using said decrypted different version; and 

means for returning said decrypted element from said group clerk to said client 
device on said secure session. 



to< 



48. The system according 

said means for contacting 
means for 



device and said group clerk; 
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Claim 43, wherein: 
said group clerk further comprises: 
locating said group clerk; and 
means for establishing a mutually-authenticated secure session between said client 
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said means for decry rting said requested output document further comprises: 

means for expanding said one or more groups of said communities to determine 
said individual users or processes in each of said expanded groups; 

means for determining one or more of said key classes which identify said 
requesting user or process as one of said expanded group members; 

means for decrypting, for each of said determined key classes, said different 
version of said random encryption key in said key class which was encrypted using said public key 
of said one member, wherein said means for decrypting uses a private key of said one member 
which is associated with s$d public key which was used for encryption, thereby creating a 
decrypted key; and 

means for decrypting selected ones of said encrypted elements in said requested 
output document using saip decrypted keys, wherein said selected ones of said encrypted elements 
are those which were encrypted for said key class; and 
said means for rendering further comprises: 

means for gendering said decrypted selected ones and said other unencrypted 

elements. 



1 49. The system according to Claim 44, wherein: 

2 said means for contacting said group clerk further comprises: 

3 means for locating said group clerk; and 

4 means fir establishing a mutually-authenticated secure session between said client 

5 device and said group cferk; 
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said means for decrypting said different version for each of said determined communities 
further comprises: 

means for sending said different version to said group clerk on said secure session; 

means for receiving said sent different version by said group clerk; 

means for verifying, by said group clerk, that said requesting user or process is one 
of said authorized members or said determined community associated with said different version; 

means for decrypting said different version using a private key of said one member 
which is associated with said public key which was used for encryption; 

means for returning said decrypted different version from said group clerk to said 
client device on said secure session; and 

means for receiving said decrypted different version at said client device; and 
said means for decrypting selected ones of said encrypted elements in said requested 
output document is executed at said client device using said received decrypted different version. 

50. The system according to Claim 44, Claim 48, or Claim 49, wherein said means for 
rendering further comprises means for rendering a substitute text message for any of said selected 
encrypted elements in said requested output document which cannot be decrypted by said means 
for decrypting said requested output document. 



1 51. The system according to 

2 said means for contacting 

3 means for locating 
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said group clerk further comprises: 
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means for establisl 



ig a session between said client device and said group clerk; 



and 



said means for decrypting se ected ones of said encrypted elements in said requested 
output document further comprises: 

means for locating said different version of said random encryption key which was 
encrypted using said public key of sad one member, wherein said one member is said expanded 
group of which said requesting user or process is one of said expanded group members; 

means for digitally sijpiing, by said requesting user or process, said located version 
and an element encrypted with said ( ifferent version, thereby creating a first digital signature; 

means for sending said first digital signature, said located different version, and 
said element to said group clerk on s aid session; 

means for receiving said sent first digital signature, said different version, and said 
element by said group clerk; 

means for verifying s lid first digital signature by said group clerk; 
means for verifying, t>y said group clerk, that said requesting user or process is one 
qetermined community associated with said different version; 
said different version using a private key of said one member 
cey which was used for encryption; 
said element using said decrypted different version; 



of said authorized members of said 
means for decrypting 

which is associated with said public 
means for decrypting 



requesting user or process, thereby 



means for re-encrypting said decrypted element using a public key of said 



reating a re-encrypted element; 



RSW9-99-111 



-118- 



means for digitally signing said re-encrypted element by said group clerk, thereby 
creating a second digital signaturle; 



means for returning 



from said group clerk to said clie it device on said session; 



means for receiving 
said client device; and 

means for verifying 

process. 

52. The system according to C 

53 . The system according to 
specification of an encryption key 



54. The system according to 
either values of said elements or 



said second digital signature and said re-encrypted element 



said second digital signature and said re-encrypted element at 



said second digital signature by said requesting user or 



aim 28, wherein said DTD is replaced by a schema. 

aim 37, wherein said encryption requirement further comprises 
ength. 



C aim 36, wherein said inserted encryption tags may surround 
v< dues and tags of said elements. 



55. A method for enforcing security policy using style sheet processing, comprising the steps 
of: 

providing an input document 
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providing one or more stored policy enforcement objects, wherein each of said stored 
policy enforcement objects spec fies a security policy to be associated with zero or more elements 
of said input document; 

providing a Document TVpe Definition (DTD) corresponding to said input document, 
wherein said DTD has been augr lented with one or more references to selected ones of said 
stored policy enforcement objects; 

executing an augmented siyle sheet processor, further comprising the steps of: 
loading said DTD; 

resolving each of s* id one or more references in said loaded DTD; 
instantiating said policy enforcement objects associated with said resolved 

references; 

executing selected ones of said instantiated policy enforcement objects during 
application of one or more style she ets to said input document, wherein a result of said step of 
executing selected ones is an interim transient document reflecting said execution; 

generating one or m )re random encryption keys; 

encrypting selected dements of said interim transient document, wherein a 
particular one of said generated ran iom encryption keys may be used to encrypt one or more of 
said selected elements, while leaving zero or more other elements of said interim transient 
document unencrypted; 

encrypting each of slid one or more random encryption keys; and 
creating an encrypted output document comprising said zero or more other 
unencrypted elements, said selectee encrypted elements, and said encrypted encryption keys; 
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I 

requesting, from a user or process on a client device, said encrypted output document, 
wherein said user or process is a member of a particular group authorized to view at least one of 
said selected encrypted elements; 

receiving said requested outpu ; document at said client device; and 
executing an augmented docunent processor on said client device, further comprising the 
steps of: 

contacting a clerk of s£ id particular group for decryption of selected ones of said 
encrypted encryption keys; and 

decrypting said reques :ed output document using said decrypted selected ones of 
said encrypted encryption keys, therepy creating a result document. 



56. The method according to Clai u 55, further comprising the step of rendering said result 
document on said client device. 

57. The method according to Claim 55, wherein said interim transient document comprises 
one or more encryption tags identifying elements needing encryption. 

58. The method according to Cla m 55, wherein said input document is specified in an 
Extensible Markup Language (XMli notation. 



59. The method according to CI; 
notation. I 
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60. The method according to Claim 55, wherein said stored policy enforcement objects further 
comprise executable code for overriding a method for evaluating said elements of said input 
document, and wherein said executing selected ones step further comprises overriding said 
method for evaluating. 



61 . The method according to Claim 60, wherein said style sheets are specified in an Extensible 
Stylesheet Language (XSL) notation. 

62. The method according tofClaim 61, wherein said method is a value-of method of said XSL 
notation, and wherein said step off overriding said value-of method is by subclassing said value-of 
method. 

63. The method according t > Claim 60 or Claim 62, wherein: 
said step of overriding f irther comprises the steps of: 

generating encrjfption tags; and 

inserting said generated encryption tags into said interim transient document to 
surround elements of said intefim transient document which are determined to require encryption; 
and 

said step of encrypting selected elements encrypts those elements surrounded by said 
inserted encryption tags. 
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a specificatioi 
with said security policy, said 



64. The method according ; to Claim 56, wherein: 

each of said instantiated policy enforcement objects further comprises: 

of a community that is authorized to view said elements associated 
specification of said communities further comprising specification of 
at least one of: (1) one or mjore individual users or processes which are community members, and 
(2) one or more groups which are community members, wherein each of said groups comprises 
one or more individual users or processes; and 

an encryption requirement for said elements associated with said security policy; 



and 



wherein said particular group is specified as one of said community members. 



65. The method according 
comprises specification of an 



to Claim 64, wherein said encryption requirement further 
encryption algorithm. 



66. The method according 
comprises specification of an 



to Claim 64, wherein said encryption requirement further 
encryption algorithm strength value. 



67. The method according to Claim 64, wherein: 

said step of encrypting said encryption keys further comprises the step of encrypting a 
different version of each of sa d random encryption keys for each of said one or more members of 
each of zero or more of said cammunities which uses said encryption key, and wherein each of 



RSW9-99-111 



-123- 



said different versions is encrypted using a public key of said community member for which said 
different version was encrypted. 



68. The method according to 
value to indicate that said specified 



Claipi 64, wherein said encryption requirement may have a null 
seburity policy does not require encryption. 



69. The method according to Claqn 55, wherein said step of encrypting selected elements uses 
a cipher block chaining mode encryption process. 



(i) 



70. The method according to 

creating a key class for each 
each of said encrypted elements for 
wherein said key class comprises 
encrypted elements; (2) an identifier 
one of said different versions of said 
community members; and 
wherein: 

said step of generating 



Claiii 67, further comprising the step of: 

ujiique community, wherein said key class is associated with 
which this unique community is an authorized viewer, and 

a strongest encryption requirement of said associated 
c}f each of said members of said unique community; and (3) 
mcrypted encryption key for each of said identified 



icryiti 



said one or more random encryption keys generates a 



particular one of said random encryption keys for each of said key classes, and wherein each of 



said different versions in a particula 
generated for said key class; and 



key class is encrypted from said generated encryption key 
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said step of enckypting 
encryption keys which was generated 
associated. 



7 1 . The method according 



selected elements uses that one of said particular random 
for said key class with which said selected element is 



to Claim 67, wherein: 



said step of decrypting (said requested output document further comprises the steps of: 
expanding said bne or more groups of said communities to determine said 
individual users or processes it each of said expanded groups; 

determining on i or more of said expanded communities of which said requesting 
expanded group members; 

each of said determined communities, said different version of said 
was encrypted using said public key of said one member, wherein 
said one member is said expaided group of which said requesting user or process is one of said 
expanded group members, thereby creating a decrypted key for each of said determined 



user or process is one of said 
decrypting, foi 
random encryption key which 



communities; and 

decrypting sel 



ected ones of said encrypted elements in said requested output 



document using said decrypted keys, wherein said selected ones of said encrypted elements are 
those which were encrypted for one of said determined communities; and 
said step of renderirjg fiirther comprises the step of: 

rendering sapd decrypted selected ones and said other unencrypted elements. 



72. The method accorqing to Claim 71 , wherein 



RSW9-99-111 



-125- 



said step of contacting said 
locating said group 
establishing a sessi 



group clerk further comprises the steps of: 
clerk; and 

n between said client device and said group clerk; 
said step of decrypting saip different version for each of said determined communities 
further comprises the steps of: 

digitally signing s^id different version by said requesting user or process, thereby 
creating a first digital signature; 

sending said firstjdigital signature and said different version to said group clerk on 

said session; 

receiving said seijt first digital signature and said different version by said group 

clerk; 

verifying said firit digital signature by said group clerk; 
verifying, by said group clerk, that said requesting user or process is one of said 
authorized members of said determined community associated with said different version; 

decrypting said different version using a private key of said one member which is 
associated with said public key which was used for encryption; 

re-encrypting s; lid decrypted different version using a public key of said requesting 

g a re-encrypted key; 
digitally signing said re-encrypted key by said group clerk, thereby creating a 
second digital signature; 

second digital signature and said re-encrypted key from said group 
said session; 



user or process, thereby creatih; 



returning said 
clerk to said client device on 
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device; 



receiving said second digital signature and said re-encrypted key at said client 



verifying said second digi tal signature at said client device; and 



decrypting, at said client 



evice, said received re-encrypted key using a private key 
of said requesting user or process, creating said decrypted key; and 

said step of decrypting selected c nes of said encrypted elements in said requested output 
document is executed at said client device using said decrypted key. 

73 . The method according to Claim i 7, wherein: 

said step of decrypting said requested output document further comprises the steps of: 
expanding said one or mo *e groups of said communities to determine said 
individual users or processes in each of s* id expanded groups; 

determining one or more c f said expanded communities of which said requesting 
user or process is one of said expanded group members; and 

decrypting selected ones of said encrypted elements in said requested output 
document, wherein said selected ones of said encrypted elements are those which were encrypted 



for one of said determined communities; 



nd 



said step of rendering further com prises the step of: 

rendering said returned de crypted elements and said other unencrypted elements. 



74. The method according to Claim 
said step of contacting said grou 
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• 



locating said group clerk; and 

establishing a mutu; illy-authenticated secure session between said client device and 
said group clerk; and 

said step of decrypting selected ones of said encrypted elements in said requested output 
document further comprises the s :eps of: 

locating said diffeient version of said random encryption key which was encrypted 
using said public key of said one nember, wherein said one member is said expanded group of 
which said requesting user or pre cess is one of said expanded group members; 

sending said located different version to said group clerk, along with an element 
encrypted with said different veijsion, on said secure session; 

receiving said se it different version and said element by said group clerk; 



verifying, by sai 



group clerk, that said requesting user or process is one of said 



authorized members of said det ermined community associated with said different version; 



decrypting said 



iifferent version using a private key of said one member which is 



decrypting said 



associated with said public key which was used for encryption; 



element using said decrypted different version; and 



returning said c ecrypted element from said group clerk to said client device on said 



secure session. 



75. The method accordini 



said step of contacting 
locating said 
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said group clerk further comprises the steps of: 
^roup clerk; and 
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establishing a mutu^ly-authenticated secure session between said client device and 
said group clerk; 

requested output document further comprises the steps of: 
or more groups of said communities to determine said 



said step of decrypting saic 
expanding said one 



individual users or processes in each of said expanded groups; 

determining one or more of said key classes which identify said requesting user or 
process as one of said expanded gfoup members; 

decrypting, for eac \ of said determined key classes, said different version of said 
class which was encrypted using said public key of said one 
member, wherein said step of deci ypting uses a private key of said one member which is 
associated with said public key wl ich was used for encryption, thereby creating a decrypted key; 



random encryption key in said key 



and 

decrypting selectee 
document using said decrypted 
those which were encrypted for 
said step of rendering 
rendering said 



key 



said 



76. The method according to 
said step of contacting sai[i 
locating said grouj: 



ones of said encrypted elements in said requested output 
s, wherein said selected ones of said encrypted elements are 
key class; and 
furtfcer comprises the step of: 

decijypted selected ones and said other unencrypted elements. 



Claim 71, wherein: 
group clerk further comprises the steps of: 
clerk; and 
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establishing a mu ually-authenticated secure session between said client device and 
said group clerk; 

said step of decrypting s^id different version for each of said determined communities 
farther comprises the steps of: 

sending said different version to said group clerk on said secure session; 

receiving said sent different version by said group clerk; 

verifying, by saic group clerk, that said requesting user or process is one of said 
authorized members of said determined community associated with said different version; 

decrypting said < ifferent version using a private key of said one member which is 
associated with said public key which was used for encryption; 

returning said decrypted different version from said group clerk to said client 
device on said secure session; aid 

receiving said decrypted different version at said client device; and 
said step of decrypting selected ones of said encrypted elements in said requested output 
document is executed at said client device using said received decrypted different version. 



to 



77. The method according 
farther comprises the step of rendering 
encrypted elements in said requested 
decrypting said requested outpu : 



Claim 71, Claim 75, or Claim 76, wherein said step of rendering 
a substitute text message for any of said selected 
output document which cannot be decrypted by said step of 
document. 



78. The method according to Claim 73, wherein 
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said step of contacting s lid group clerk further comprises the steps of: 
locating said group clerk; and 

establishing a ses sion between said client device and said group clerk; and 
said step of decrypting selected ones of said encrypted elements in said requested output 
document further comprises the steps of: 

locating said different version of said random encryption key which was encrypted 



using said public key of said one 



digitally signing, 



member, wherein said one member is said expanded group of 



which said requesting user or process is one of said expanded group members; 



>y said requesting user or process, said located version and an 



element encrypted with said diffi rent version, thereby creating a first digital signature; 

sending said first digital signature, said located different version, and said element 
to said group clerk on said session; 

receiving said sen : first digital signature, said different version, and said element by 
said group clerk; 

verifying said first digital signature by said group clerk; 
verifying, by said jroup clerk, that said requesting user or process is one of said 
authorized members of said determined community associated with said different version; 

decrypting said di ferent version using a private key of said one member which is 
associated with said public key which was used for encryption; 

decrypting said element using said decrypted different version; 

I Decrypted element using a public key of said requesting user or 



re-encrypting said 



process, thereby creating a re-encypted element; 
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24 digitally signing said re-encrypted element by said group clerk, thereby creating a 

25 second digital signature; 

26 returning said sedond digital signature and said re-encrypted element from said 

27 group clerk to said client device |on said session; 

28 receiving said sec ond digital signature and said re-encrypted element at said client 

29 device; and 

30 verifying said second digital signature by said requesting user or process. 



1 79. The method according to 



Claim 55, wherein said DTD is replaced by a schema. 



80. The method according to 
comprises specification of an 



8 1 . The method according to 
either values of said elements or 



Claim 64, wherein said encryption requirement further 
encryption key length. 



Claim 63, wherein said inserted encryption tags may surround 
vilues and tags of said elements. 
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